WX1800H series

H3C WX1800H series User Configuration Manual

  • Hello! I am an AI chatbot trained to assist you with the H3C WX1800H series User Configuration Manual. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
H3C Access Controllers
ACL and QoS Configuration Guide
New H3C Technologies Co., Ltd.
http://www.h3c.com.hk
Document version: 6W101-2017112
2
Copyright © 2017, New H3C Technologies Co., Ltd. and its licensors
All rights reserved
No part of this manual may be reproduced or transmitted in any form or by any means without prior written
consent of New H3C Technologies Co., Ltd.
Trademarks
H3C, , H3CS, H3CIE, H3CNE, Aolynk, , H
3
Care, , IRF, NetPilot, Netflow, SecEngine,
SecPath, SecCenter, SecBlade, Comware, ITCMM and HUASAN are trademarks of New H3C Technologies
Co., Ltd.
All other trademarks that may be mentioned in this manual are the property of their respective owners
Notice
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Preface
The H3C access controllers documentation set describes the software features for the H3C access
controllers and guide you through the software configuration procedures. These guides also provide
configuration examples to help you apply software features to different network scenarios.
The ACL and QoS Configuration Guide describes ACL, QoS, and time range configurations.
This preface includes the following topics about the documentation:
Hardware and software compatibility matrix
Audience
Conventions
Obtaining documentation
Technical support
Documentation feedback
Hardware and software compatibility matrix
Table 1 Hardware and software compatibility matrix
Hardware series
Model
Product version
WX1800H series
WX1804H
WX1810H
WX1820H
WX1804H-CMW710-E5208P03
WX1810H-CMW710-E5215P01
WX1820H-CMW710-E5208P03
WX2500H series
WX2510H
WX2540H
WX2560H
WX2510H-CMW710-R5215P01
WX2540H-CMW710-R5215P01
WX2560H-CMW710-R5215P01
WX3000H series
WX3010H
WX3010H-L
WX3010H-X
WX3024H
WX3024H-L
WX3010H-CMW710-R5215P01
WX3010HL-CMW710-R5215P01
WX3010HX-CMW710-R5215P01
WX3024H-CMW710-R5215P01
WX3024HL-CMW710-R5215P01
WX3500H series
WX3508H
WX3510H
WX3520H
WX3540H
WX3508H-CMW710-R5215P01
WX3510H-CMW710-R5215P01
WX3520H-CMW710-R5215P01
WX3540H-CMW710-R5215P01
WX5500E series
WX5510E
WX5540E
WX5510E-CMW710-R5215P01
WX5540E-CMW710-R5215P01
WX5500H series
WX5540H
WX5560H
WX5580H
WX5540H-CMW710-R5215P01
WX5560H-CMW710-R5215P01
WX5580H-CMW710-R5215P01
Access controller modules
EWPXM1MAC0F
EWPXM1WCME0
EWPXM2WCMD0F
LSQM1WCMX20
LSQM1WCMX40
LSUM1WCME0
LSUM1WCMX20RT
WCMX40-CMW710-R5215P01
WCMX40-CMW710-R5215P01
WCMX20-CMW710-R5215P01
WCMX20-CMW710-R5215P01
WCMX40-CMW710-R5215P01
WCMX40-CMW710-R5215P01
WCMX20-CMW710-R5215P01
Hardware series
Model
Product version
LSUM1WCMX40RT
WCMX40-CMW710-R5215P01
Audience
This documentation is intended for:
Network planners.
Field technical support and servicing engineers.
Network administrators working with the H3C access controllers.
Conventions
The following information describes the conventions used in the documentation.
Command conventions
Convention
Description
Boldface Bold
text represents commands and keywords that you enter literally as shown.
Italic
Italic text represents arguments that you replace with actual values.
[ ] Square brackets enclose syntax choices (keywords or arguments) that are optional.
{ x | y | ... }
Braces enclose a set of required syntax choices separated by vertical bars, from which
you select one.
[ x | y | ... ]
Square brackets enclose a set of optional syntax choices separated by vertical bars,
from which you select one or none.
{ x | y | ... } *
Asterisk marked braces enclose a set of required syntax choices separated by vertical
bars, from which you select a minimum of one.
[ x | y | ... ] *
Asterisk marked square brackets enclose optional syntax choices separated by vertical
bars, from which you select one choice, multiple choices, or none.
&<1-n>
The argument or keyword and argument combination before the ampersand (&) sign
can be entered 1 to n times.
# A line that starts with a pound (#) sign is comments.
GUI conventions
Description
Boldface
Window names, button names, field names, and menu items are in Boldface. For
example, the
New User
window opens; click
OK
.
>
Multi-level menus are separated by angle brackets. For example,
File
>
Create
>
Folder
.
Symbols
Description
WARNING!
An alert that calls attention to important information that if not understood or followed
can result in personal injury.
Description
CAUTION:
An alert that calls attention to important information that if not understood or followed
can result in data loss, data corruption, or damage to hardware or software.
An alert that calls attention to essential information.
An alert that contains additional or supplementary information.
An alert that provides helpful information.
Network topology icons
Description
Represents a generic network device, such as a router, switch, or firewall.
Represents a routing-capable device, such as a router or Layer 3 switch.
Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that
supports Layer 2 forwarding and other Layer 2 features.
Represents an access controller, a unified wired-WLAN module, or the access
controller engine on a unified wired-WLAN switch.
Represents an access point.
Wireless terminator unit.
Wireless terminator.
Represents a mesh access point.
Represents omnidirectional signals.
Represents directional signals.
Represents a security product, such as a firewall, UTM, multiservice security
gateway, or load balancing device.
Represents a security module, such as a firewall, load balancing, NetStream, SSL
VPN, IPS, or ACG module.
Examples provided in this document
Examples in this document might use devices that differ from your device in hardware model,
configuration, or software version. It is normal that the port numbers, sample output, screenshots,
and other information in the examples differ from what you have on your device.
Obtaining documentation
To access the most up-to-date H3C product documentation, go to the H3C website at
T
T
T
T
http://www.h3c.com.hk
To obtain information about installation, configuration, and maintenance, click
http://www.h3c.com.hk/Technical_Documents
To obtain software version information such as release notes, click
http://www.h3c.com.hk/Software_Download
Technical support
service@h3c.com
http://www.h3c.com.hk
Documentation feedback
You can e-mail your comments about product documentation to info@h3c.com.
We appreciate your comments.
i
Contents
Configuring ACLs ············································································· 1
Overview ·································································································································· 1
ACL types ·························································································································· 1
Numbering and naming ACLs ································································································ 1
Match order ························································································································ 1
Rule numbering ·················································································································· 2
Fragments filtering with ACLs ································································································ 3
Compatibility information ············································································································· 3
Feature and hardware compatibility ························································································· 3
Command and hardware compatibility ····················································································· 4
Configuration restrictions and guidelines ························································································· 4
Configuration task list·················································································································· 4
Configuring a basic ACL ·············································································································· 5
Configuring an IPv4 basic ACL ······························································································· 5
Configuring an IPv6 basic ACL ······························································································· 5
Configuring an advanced ACL ······································································································ 6
Configuring an IPv4 advanced ACL ························································································· 6
Configuring an IPv6 advanced ACL ························································································· 7
Configuring a Layer 2 ACL ··········································································································· 8
Configuring a WLAN client ACL ···································································································· 9
Configuring a WLAN AP ACL ····································································································· 10
Copying an ACL ······················································································································ 10
Configuring packet filtering with ACLs ·························································································· 11
Applying an ACL to an interface for packet filtering ··································································· 11
Configuring SNMP notifications for packet filtering ···································································· 12
Setting the packet filtering default action················································································· 12
Displaying and maintaining ACLs ································································································ 13
ACL configuration example ········································································································ 14
Network requirements ········································································································ 14
Configuration procedure ····································································································· 14
Verifying the configuration ··································································································· 15
QoS overview ················································································ 16
Compatibility information ··········································································································· 16
Feature and hardware compatibility ······················································································· 16
Command and hardware compatibility ··················································································· 17
QoS service models ················································································································· 17
Best-effort service model ···································································································· 17
IntServ model ··················································································································· 17
DiffServ model ·················································································································· 17
QoS techniques overview ·········································································································· 17
Deploying QoS in a network ································································································ 18
QoS processing flow in a device ··························································································· 18
Configuring a QoS policy ································································· 19
Non-MQC approach ················································································································· 19
MQC approach ························································································································ 19
Configuration procedure diagram ································································································ 19
Defining a traffic class ··············································································································· 19
Defining a traffic behavior ·········································································································· 20
Defining a QoS policy ··············································································································· 20
Applying the QoS policy ············································································································ 20
Applying the QoS policy to an interface ·················································································· 21
Applying the QoS policy to a user profile ················································································ 21
Displaying and maintaining QoS policies ······················································································· 22
ii
Configuring priority mapping ····························································· 23
Overview ································································································································ 23
Introduction to priorities ······································································································ 23
Priority maps ···················································································································· 23
Priority mapping configuration tasks ····························································································· 23
Configuring a priority map ·········································································································· 24
Configuring a port to trust packet priority for priority mapping ····························································· 24
Changing the port priority of an interface ······················································································· 25
Displaying and maintaining priority mapping ·················································································· 25
Priority mapping configuration examples ······················································································· 25
Network requirements ········································································································ 25
Configuration procedure ····································································································· 26
Configuring traffic policing ································································ 27
Overview ································································································································ 27
Traffic evaluation and token buckets ······················································································ 27
Traffic policing ·················································································································· 27
Configuration procedure ············································································································ 28
Configuring traffic policing by using the MQC approach ····························································· 28
Configuring traffic policing for a user profile by using the non-MQC approach ································· 29
Displaying and maintaining traffic policing ····················································································· 30
Configuring traffic filtering ································································ 31
Configuration procedure ············································································································ 31
Configuration example ·············································································································· 31
Network requirements ········································································································ 31
Configuration procedure ····································································································· 32
Configuring priority marking ······························································ 33
Configuration procedure ············································································································ 33
Configuration example ·············································································································· 34
Network requirements ········································································································ 34
Configuration procedure ····································································································· 34
Appendixes ··················································································· 36
Appendix A Acronym ················································································································ 36
Appendix B Default priority maps ································································································· 36
Appendix C Introduction to packet precedences ············································································· 38
IP precedence and DSCP values ·························································································· 38
802.1p priority ··················································································································· 39
802.11e priority ················································································································· 40
Configuring time ranges ··································································· 41
Feature and hardware compatibility ····························································································· 41
Configuration procedure ············································································································ 42
Displaying and maintaining time ranges ························································································ 42
Time range configuration example ······························································································· 42
Index ··························································································· 44
1
Configuring ACLs
Overview
An access control list (ACL) is a set of rules for identifying traffic based on criteria such as source IP
address, destination IP address, and por t number. The rules are also called permit or deny
statements.
ACLs are primarily used for packet filtering. "Configuring packet filtering with ACLs" provides an
example. You can use ACLs in QoS, security, routing, and other modules for identifying traffic. The
packet drop or forwarding decisions depend on the modules that use ACLs.
ACL types
Type
ACL number
IP version
Match criteria
WLAN client ACL 100 to 199 IPv4 and IPv6 SSID.
WLAN AP ACL 200 to 299 IPv4 and IPv6 AP MAC address and AP serial ID.
Basic ACLs 2000 to 2999
IPv4 Source IPv4 address.
IPv6 Source IPv6 address.
Advanced ACLs 3000 to 3999
IPv4
Source IPv4 address, destination IPv4
address, packet priority, protocol number, and
other Layer 3 and Layer 4 header fields.
IPv6
Source IPv6 address, destination IPv6
address, packet priority, protocol number, and
other Layer 3 and Layer 4 header fields.
Layer 2 ACLs 4000 to 4999 IPv4 and IPv6
Layer 2 header fields, such as source and
destination MAC addresses, 802.1p priority,
and link layer protocol type.
Numbering and naming ACLs
When creating an ACL, you must assign it a number or name for identification. You can specify an
existing ACL by its number or name. Each ACL type has a unique range of ACL numbers.
For an IPv4 basic or advanced ACL, its ACL number or name must be unique in IPv4. For an IPv6
basic or advanced ACL, its ACL number and name must be unique in IPv6. For a Layer 2, WLAN
client, or WLAN AP ACL, its number or name must be globally unique.
Match order
The rules in an ACL are sorted in a specific order. When a packet matches a rule, the device stops
the match process and performs the action defined in the rule. If an ACL contains overlapping or
conflicting rules, the matching result and action to take depend on the rule order.
The following ACL match orders are available:
config—Sorts ACL rules in ascending order of rule ID. A rule with a lower ID is matched before
a rule with a higher ID. If you use this method, check the rules and their order carefully.
2
NOTE:
The match order of WLAN client ACLs and WLAN AP ACLs can only be config.
auto—Sorts ACL rules in depth-first order. Depth-first ordering makes sure any subset of a rule
is always matched before the rule. Table 1 lists the sequence of tie breakers that depth-first
ordering uses to sort rules for each type of ACL.
Table 1 Sort ACL rules in depth-first order
ACL type
Sequence of tie breakers
IPv4 basic ACL
1. VPN instance.
2. More 0s in the source IPv4 address wildcard (more 0s means a
narrower IPv4 address range).
3. Rule configured earlier.
IPv4 advanced ACL
1. VPN instance.
2. Specific protocol number.
3. More 0s in the source IPv4 address wildcard mask.
4. More 0s in the destination IPv4 address wildcard.
5. Narrower TCP/UDP service port number range.
6. Rule configured earlier.
IPv6 basic ACL
1. VPN instance.
2. Longer prefix for the source IPv6 address (a longer prefix means a
narrower IPv6 address range).
3. Rule configured earlier.
IPv6 advanced ACL
1. VPN instance.
2. Specific protocol number.
3. Longer prefix for the source IPv6 address.
4. Longer prefix for the destination IPv6 address.
5. Narrower TCP/UDP service port number range.
6. Rule configured earlier.
Layer 2 ACL
1. More 1s in the source MAC address mask (more 1s means a smaller
MAC address).
2. More 1s in the destination MAC address mask.
3. Rule configured earlier.
A wildcard mask, also called an i nverse mask, is a 32 -bit binary number represented in dotted
decimal notation. In contrast to a network mask, the 0 bits in a wildcard mask represent "do care"
bits, and the 1 bits represent "don't care" bits. If the "do care" bits in an IP address are identical to the
"do care" bits in an IP address criterion, the IP address matches the criterion. All "don't care" bits are
ignored. The 0s and 1s in a wildcard mask can be noncontiguous. For example, 0.255.0.255 is a
valid wildcard mask.
Rule numbering
ACL rules can be m anually numbered or automatically numbered. This section describes how
automatic ACL rule numbering works.
Rule numbering step
If you do not assign an ID to the rule you are creating, the system automatically assigns it a rule ID.
The rule numbering step sets the increment by which the system automatically numbers rules. For
example, the default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating,
they are automatically numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more
rules you can insert between two rules.
3
By introducing a gap between rules rather than contiguously numbering rules, you have the flexibility
of inserting rules in an ACL. This feature is important for a config-order ACL, where ACL rules are
matched in ascending order of rule ID.
Automatic rule numbering and renumbering
The ID automatically assigned to an ACL rule takes the nearest higher multiple of the numbering step
to the current highest rule ID, starting with 0.
For example, if the step is 5, and there are five rules numbered 0, 5, 9, 10, and 12, the newly defined
rule is numbered 15. If the ACL does not contain a rule, the first rule is numbered 0.
Whenever the step changes, the rules are renumbered, starting from 0. For example, changing the
step from 5 to 2 renumbers rules 5, 10, 13, and 15 as rules 0, 2, 4, and 6.
Fragments filtering with ACLs
Traditional packet filtering matches only first fragments of packets, and al lows all subsequent
non-first fragments to pass through. Attackers can fabricate non-first fragments to attack networks.
To avoid the risks, the ACL feature is designed as follows:
Filters all fragments by default, including non-first fragments.
Allows for matching criteria modification for efficiency. For example, you can configure the ACL
to filter only non-first fragments.
Compatibility information
Feature and hardware compatibility
Hardware series
Model
ACL compatibility
WX1800H series
WX1804H
WX1810H
WX1820H
Yes
WX2500H series
WX2510H
WX2540H
WX2560H
Yes
WX3000H series
WX3010H
WX3010H-L
WX3010H-X
WX3024H
WX3024H-L
Yes:
WX3010H
WX3010H-X
WX3024H
No:
WX3010H-L
WX3024H-L
WX3500H series
WX3508H
WX3510H
WX3520H
WX3540H
Yes
WX5500E series
WX5510E
WX5540E
Yes
WX5500H series WX5540H Yes
4
Hardware series
Model
ACL compatibility
WX5560H
WX5580H
Access controller modules
EWPXM1MAC0F
EWPXM1WCME0
EWPXM2WCMD0F
LSQM1WCMX20
LSQM1WCMX40
LSUM1WCME0
LSUM1WCMX20RT
LSUM1WCMX40RT
Yes
Command and hardware compatibility
The WX1800H series, WX2500H series, and WX3000H series access controllers do not support the
slot keyword or the slot-number argument.
Configuration restrictions and guidelines
Matching packets are forwarded through slow forwarding if an ACL rule contains match criteria or
has functions enabled in addition to the following match criteria and functions:
Source and destination IP addresses.
Source and destination ports.
Transport layer protocol.
ICMP or ICMPv6 message type, message code, and message name.
VPN instance.
Logging.
Time range.
Slow forwarding requires packets to be sent to the control plane for forwarding entry calculation,
which affects the device forwarding performance.
Configuration task list
Tasks at a glance
(Required.) Configure ACLs according to the characteristics of the packets to be matched:
Configuring a basic ACL
Configuring an IPv4 basic ACL
Configuring an IPv6 basic ACL
Configuring an advanced ACL
Configuring an IPv4 advanced ACL
Configuring an IPv6 advanced ACL
Configuring a Layer 2 ACL
Configuring a WLAN client ACL
Configuring a WLAN AP ACL
(Optional.) Copying an ACL
5
Tasks at a glance
(Optional.) Configuring packet filtering with ACLs
Configuring a basic ACL
This section describes procedures for configuring IPv4 and IPv6 basic ACLs.
Configuring an IPv4 basic ACL
IPv4 basic ACLs match packets based only on source IP addresses.
To configure an IPv4 basic ACL:
Step
Command
Remarks
1. Enter system view.
system-view
N/A
2. Create an IPv4 basic ACL
and enter its view.
acl basic
{ acl-number |
name
acl-name } [
match-order
{
auto
|
config
} ]
By default, no ACL exists.
The value range for a numbered
IPv4 basic ACL is 2000 to 2999.
Use the
acl basic
acl-number
command to enter the view of a
numbered IPv4 basic ACL.
Use the
acl basic
name
acl-name command to enter the
view of a named IPv4 basic ACL.
3. (Optional.) Configure a
description for the IPv4 basic
ACL.
description
text
By default, an IPv4 basic ACL
does not have a description.
4. (Optional.) Set the rule
numbering step.
step
step-value
By default, the rule numbering
step is 5 and the start rule ID is 0.
5. Create or edit a rule.
rule
[ rule-id ] {
deny
|
permit
}
[
fragment
|
source
{ source-address source-wildcard
|
any
} |
time-range
time-range-name ] *
By default, an IPv4 basic ACL
does not contain any rules.
6. (Optional.) Add or edit a rule
comment.
rule
rule-id
comment
text
By default, no rule comment is
configured.
Configuring an IPv6 basic ACL
IPv6 basic ACLs match packets based only on source IP addresses.
To configure an IPv6 basic ACL:
Step
Command
Remarks
1. Enter system view.
system-view
N/A
6
Step
Command
Remarks
2. Create an IPv6 basic ACL
view and enter its view.
acl ipv6 basic
{ acl-number |
name
acl-name } [
match-order
{
auto
|
config
} ]
By default, no ACL exists.
The value range for a numbered
IPv6 basic ACL is 2000 to 2999.
Use the
acl ipv6 basic
acl-number command to enter the
view of a numbered IPv6 basic
ACL.
Use the
acl
ipv6
basic
name
acl-name command to enter the
view of a named IPv6 basic ACL.
3. (Optional.) Configure a
description for the IPv6 basic
ACL.
description
text
By default, an IPv6 basic ACL
does not have a description.
4. (Optional.) Set the rule
numbering step.
step
step-value
By default, the rule numbering
step is 5 and the start rule ID is 0.
5. Create or edit a rule.
rule
[ rule-id ] {
deny
|
permit
}
[
fragment
|
routing
[
type
routing-type ] |
source
{ source-address source-prefix |
source-address/source-prefix |
any
} |
time-range
time-range-name ] *
By default, an IPv6 basic ACL
does not contain any rules.
6. (Optional.) Add or edit a rule
comment.
rule
rule-id
comment
text
By default, no rule comment is
configured.
Configuring an advanced ACL
This section describes procedures for configuring IPv4 and IPv6 advanced ACLs.
Configuring an IPv4 advanced ACL
IPv4 advanced ACLs match packets based on the following criteria:
Source IP addresses.
Destination IP addresses.
Packet priorities.
Protocol numbers.
Other protocol header information, such as TCP/UDP source and destination port numbers,
TCP flags, ICMP message types, and ICMP message codes.
Compared to IPv4 basic ACLs, IPv4 advanced ACLs allow more flexible and accurate filtering.
To configure an IPv4 advanced ACL:
Step
Command
Remarks
1. Enter system view.
system-view
N/A
7
Step
Command
Remarks
2. Create an IPv4 advanced
ACL and enter its view.
acl advanced
{ acl-number |
name
acl-name } [
match-order
{
auto
|
config
} ]
By default, no ACL exists.
The value range for a numbered
IPv4 advanced ACL is 3000 to
3999.
Use the
acl advanced
acl-number command to enter the
view of a numbered IPv4
advanced ACL.
Use the
acl advanced name
acl-name command to enter the
view of a named IPv4 advanced
ACL.
3. (Optional.) Configure a
description for the IPv4
advanced ACL.
description
text
By default, an IPv4 advanced
ACL does not have a description.
4. (Optional.) Set the rule
numbering step.
step
step-value
By default, the rule numbering
step is 5 and the start rule ID is 0.
5. Create or edit a rule.
rule
[ rule-id ] {
deny
|
permit
}
protocol [ { {
ack
ack-value |
fin
fin-value |
psh
psh-value |
rst
rst-value |
syn
syn-value |
urg
urg-value } * |
established
} |
destination
{ dest-address
dest-wildcard |
any
} |
destination-port
operator port1
[ port2 ] | {
dscp
dscp |
{
precedence
precedence |
tos
tos } * } |
fragment
|
icmp-type
{ icmp-type [ icmp-code ] |
icmp-message } |
source
{ source-address source-wildcard
|
any
} |
source-port
operator
port1 [ port2 ] |
time-range
time-range-name ] *
By default, an IPv4 advanced
ACL does not contain any rules.
6. (Optional.) Add or edit a rule
comment.
rule
rule-id
comment
text
By default, no rule comment is
configured.
Configuring an IPv6 advanced ACL
IPv6 advanced ACLs match packets based on the following criteria:
Source IPv6 addresses.
Destination IPv6 addresses.
Packet priorities.
Protocol numbers.
Other protocol header fields such as the TCP/UDP source port number, TCP/UDP destination
port number, ICMPv6 message type, and ICMPv6 message code.
Compared to IPv6 basic ACLs, IPv6 advanced ACLs allow more flexible and accurate filtering.
To configure an IPv6 advanced ACL:
Step
Command
Remarks
1. Enter system view.
system-view
N/A
8
Step
Command
Remarks
2. Create an IPv6 advanced
ACL and enter its view.
acl ipv6 advanced
{ acl-number |
name
acl-name } [
match-order
{
auto
|
config
} ]
By default, no ACL exists.
The value range for a numbered
IPv6 advanced ACL is 3000 to
3999.
Use the
acl ipv6 advanced
acl-number command to enter the
view of a numbered IPv6
advanced ACL.
Use the
acl
ipv6 advanced
name
acl-name command to
enter the view of a named IPv6
advanced ACL.
3. (Optional.) Configure a
description for the IPv6
advanced ACL.
description
text
By default, an IPv6 advanced
ACL does not have a description.
4. (Optional.) Set the rule
numbering step.
step
step-value
By default, the rule numbering
step is 5 and the start rule ID is 0.
5. Create or edit a rule.
rule
[ rule-id ] {
deny
|
permit
}
protocol [ { {
ack
ack-value |
fin
fin-value |
psh
psh-value |
rst
rst-value |
syn
syn-value |
urg
urg-value } * |
established
} |
destination
{ dest-address
dest-prefix |
dest-address/dest-prefix |
any
} |
destination-port
operator port1
[ port2 ] |
dscp
dscp |
flow-label
flow-label-value |
fragment
|
icmp6-type
{ icmp6-type
icmp6-code | icmp6-message } |
routing
[
type
routing-type ] |
hop-by-hop
[
type
hop-type ] |
source
{ source-address
source-prefix |
source-address/source-prefix
|
any
} |
source-port
operator
port1 [ port2 ] |
time-range
time-range-name ] *
By default, IPv6 advanced ACL
does not contain any rules.
6. (Optional.) Add or edit a rule
comment.
rule
rule-id
comment
text
By default, no rule comment is
configured.
Configuring a Layer 2 ACL
Layer 2 ACLs, also called "Ethernet frame header ACLs," match packets based on Layer 2 Ethernet
header fields, such as:
Source MAC address.
Destination MAC address.
802.1p priority (VLAN priority).
Link layer protocol type.
To configure a Layer 2 ACL:
9
Step
Command
Remarks
1. Enter system view.
system-view N/A
2. Create a Layer 2 ACL and
enter its view.
acl mac
{ acl-number |
name
acl-name } [
match-order
{
auto
|
config
} ]
By default, no ACL exists.
The value range for a numbered
Layer 2 ACL is 4000 to 4999.
Use the
acl mac
acl-number
command to enter the view of a
numbered Layer 2 ACL.
Use the
acl mac name
acl-name
command to enter the view of a
named Layer 2 ACL.
3. (Optional.) Configure a
description for the Layer 2
ACL.
description
text
By default, a Layer 2 ACL does
not have a description.
4. (Optional.) Set the rule
numbering step.
step
step-value
By default, the rule numbering
step is 5 and the start rule ID is 0.
5. Create or edit a rule.
rule
[ rule-id ] {
deny
|
permit
}
[
cos
vlan-pri |
dest-mac
dest-address dest-mask | {
lsap
lsap-type lsap-type-mask |
type
protocol-type
protocol-type-mask } |
source-mac
source-address
source-mask |
time-range
time-range-name ] *
By default
,
a Layer 2 ACL does
not contain any rules.
6. (Optional.) Add or edit a rule
comment.
rule
rule-id
comment
text
By default, no rule comment is
configured.
Configuring a WLAN client ACL
WLAN client ACLs match packets based on t he SSID that the WLAN clients use to access the
WLAN. You can use WLAN client ACLs to perform access control on WLAN clients.
To configure a WLAN client ACL:
Step
Command
Remarks
1. Enter system view.
system-view N/A
2. Create a WLAN client ACL
and enter its view.
acl wlan client
{ acl-number |
name
acl-name }
By default, no ACL exists.
The value range for a numbered WLAN
client ACL is 100 to 199.
Use the
acl wlan client
acl-number
command to enter the view of a
numbered WLAN client ACL.
Use the
acl wlan client name
acl-name command to enter the view of
a named WLAN client ACL.
3. (Optional.) Configure a
description for the WLAN
client ACL.
description
text
By default, a WLAN client ACL does not
have a description.
4. (Optional.) Set the rule
numbering step.
step
step-value
By default, the rule numbering step is 5
and the start rule ID is 0.
10
Step
Command
Remarks
5. Configure or edit a rule.
rule
[ rule-id ] {
deny
|
permit
} [
ssid
ssid-name ]
By default
,
a WLAN client ACL does not
contain any rules.
6. (Optional.) Add or edit a rule
comment.
rule
rule-id
comment
text
By default, no rule comment is
configured.
Configuring a WLAN AP ACL
WLAN AP ACLs match packets from WLAN APs based on the MAC address or serial ID.
To configure a WLAN AP ACL:
Step
Command
Remarks
1. Enter system view.
system-view N/A
2. Create a WLAN AP ACL and
enter its view.
acl wlan ap
{ acl-number |
name
acl-name }
By default, no ACL exists.
The value range for a numbered
WLAN AP ACL is 200 to 299.
Use the
acl wlan ap
acl-number
command to enter the view of a
numbered WLAN AP ACL.
Use the
acl wlan ap name
acl-name command to enter the
view of a named WLAN AP ACL.
3. (Optional.) Configure a
description for the WLAN AP
ACL.
description
text
By default, a WLAN AP ACL does
not have a description.
4. (Optional.) Set the rule
numbering step.
step
step-value
By default, the rule numbering
step is 5 and the start rule ID is 0.
5. Configure or edit a rule.
rule
[ rule-id ] {
deny
|
permit
}
[
mac
mac-address mac-mask ]
[
serial-id
serial-id ]
By default
,
a WLAN AP ACL does
not contain any rules.
6. (Optional.) Add or edit a rule
comment.
rule
rule-id
comment
text
By default, no rule comment is
configured.
Copying an ACL
You can create an ACL by copying an existing ACL (source ACL). The new ACL (destination ACL)
has the same properties and content as the source ACL, but uses a different number or name than
the source ACL.
To successfully copy an ACL, make sure:
The destination ACL number is from the same type as the source ACL number.
The source ACL already exists, but the destination ACL does not.
To copy an ACL:
Step
Command
1. Enter system view.
system-view
11
Step
Command
2. Copy an existing ACL to create a new ACL.
acl
[
ipv6
|
mac
]
copy
{ source-acl-number |
name
source-acl-name }
to
{ dest-acl-number |
name
dest-acl-name }
Configuring packet filtering with ACLs
This section describes procedures for applying an ACL to filter incoming or outgoing IPv4 or IPv6
packets on the specified interface.
This feature does not take effect on an interface that is an aggregation member port.
Applying an ACL to an interface for packet filtering
The following matrix shows the feature and hardware compatibility:
Hardware series
Model
Feature compatibility
WX1800H series
WX1804H
WX1810H
WX1820H
Yes
WX2500H series
WX2510H
WX2540H
WX2560H
Yes
WX3000H series
WX3010H
WX3010H-L
WX3010H-X
WX3024H
WX3024H-L
No
WX3500H series
WX3508H
WX3510H
WX3520H
WX3540H
Yes
WX5500E series
WX5510E
WX5540E
Yes
WX5500H series
WX5540H
WX5560H
WX5580H
Yes
Access controller modules
EWPXM1MAC0F
EWPXM1WCME0
EWPXM2WCMD0F
LSQM1WCMX20
LSQM1WCMX40
LSUM1WCME0
LSUM1WCMX20RT
LSUM1WCMX40RT
Yes
12
To apply an ACL to an interface for packet filtering:
Step
Command
Remarks
1. Enter system view.
system-view
N/A
2. Enter interface view.
interface
interface-type
interface-number
N/A
3. Apply an ACL to the interface
to filter packets.
packet-filter
[
ipv6
|
mac
]
{ acl-number |
name
acl-name }
{
inbound
|
outbound
}
By default, an interface does not
filter packets.
You can apply up to 32 ACLs to
the same direction of an interface.
Configuring SNMP notifications for packet filtering
You can configure the ACL module to generate SNMP notifications for packet filtering and output
them to the information center or SNMP module at the output interval. If an ACL is matched for the
first time, the device immediately outputs a notification instead of waiting for the next output. The
notification records the number of matching packets and the matched ACL rules.
For more information about the information center and SNMP, see Network Management and
Monitoring Configuration Guide.
To configure SNMP notifications for packet filtering:
Step
Command
Remarks
1. Enter system view.
system-view
N/A
2. Set the interval for outputting
packet filtering notifications.
acl
trap
interval
interval
The default setting is 0 minutes.
By default, the device does not
generate SNMP notifications for
packet filtering.
Setting the packet filtering default action
The following matrix shows the feature and hardware compatibility:
Hardware series
Model
Feature compatibility
WX1800H series
WX1804H
WX1810H
WX1820H
Yes
WX2500H series
WX2510H
WX2540H
WX2560H
Yes
WX3000H series
WX3010H
WX3010H-L
WX3010H-X
WX3024H
WX3024H-L
No
WX3500H series
WX3508H
WX3510H
Yes
/